Most of them do it by encrypting the passwords with your master password so techncially you only have to trust the client on that one. But yeah, browser can get hacked, malicious client code can be pushed, lastly client bugs